Skip to main content

Cloudflare OIDC integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

OIDC (OpenID Connect) is an open standard protocol that provides a way to authenticate and authorize access to applications without giving the application your login credentials.

Arculix by SecureAuth, offers a simple method for adding single sign-on (SSO) MFA to Cloudflare with its OIDC solution.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for Cloudflare.

Add OIDC application in Arculix

In this section, you'll configure Arculix to act as an OIDC Provider to authenticate the user and grant access to Cloudflare.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:


    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Cloudflare-OIDC.


    Set to OpenID Connect Relying Party Application [oidc_client].

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

  4. Select the OIDC Configuration tab, and set the following configurations:



    Login URL 

    Optional. Enter the login URL for your Cloudflare instance.

    Redirect URLs

    Enter the redirect URL (Redirect_uri) that Arculix will use to send back the authorization code.

    You can register more than one redirect URL (Redirect_uri).

    For example, https://<your-team-name>

    Client Settings 


    Application Type 

    Set to Web application.

    Grant Type 

    Set to Authorization code – User logs in to the application, then the application redirects the flow to Arculix for authentication. After authentication, Arculix returns an authorization code to the application, then exchanges the code for an access token and an identity token.

    Authentication Method 

    Set to Basic – Basic authentication method that transmits the client secret in clear text. To ensure the security of the client secret, use HTTPS to encrypt the communication.

    Scopes and Claims 


    Select the following scopes:

    • profile – Allow access to user's profile information like postal address and phone number.

    • email – Allow access to user's email address.


    Access Token Timeout 

    Set how long the access token is valid for before it times out. By default this set to 1 minute.

    Refresh Token Timeout 

    Set how long the refresh token is valid for before it times out and requires the user to reauthenticate. By default this is set to 1 day.

  5. Save your changes.

  6. Edit the configured OIDC application and select the Advanced tab.

  7. Copy the UID and Secret values.

    You will need these for the Cloudflare configuration.

Cloudflare configuration

In this section, you will configure the Cloudflare application that supports OIDC.

  1. Log in to Cloudflare with an administrator account.

  2. From the left panel, go to Settings, select Authentication and click OpenID Connect.

  3. Set the following configurations.


    Enter a name for this identity provider to display on the login page.

    For example, Arculix OpenID Connect.

    App ID

    Paste the UID value copied from the Cloudflare OIDC application in Arculix.

    Client Secret

    Paste the Secret value copied from the Cloudflare OIDC application in Arculix.

    Well-known endpoint

    Open the well-known OIDC discovery endpoint URL in this format:<organization>/oauth2/v1/.well-known/openid-configuration

    Auth URL

    Enter the authorization URL in this format:<organization>/oauth2/v1/auth

    Token URL

    Enter the token URL in this format:<organization>/oauth2/v1/token

    Certificate URL

    Enter the certificate URL in this format:<organization>/oauth2/v1/jwks

  4. Save your changes.

Test your OIDC application integration

  1. Go to the login URL for your Cloudflare application.

  2. You will be redirected to the Arculix SSO page.

    Application login page with QR code
  3. After successful authentication, select your preferred MFA method to approve access to the Cloudflare application.

    Select MFA method
  4. You'll be redirected to the Cloudflare application home page.


If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.